Differential and Rectangle Attacks on Reduced-Round SHACAL-1?

Jiqiang Lu1??, Jongsung Kim2,3???, Nathan Keller4†, and Orr Dunkelman5‡

1 Information Security Group, Royal Holloway, University of London Egham, Surrey TW20 0EX, UK [email protected] 2 ESAT/SCD-COSIC, Katholieke Universiteit Leuven Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium [email protected] 3 Center for Information Security Technologies(CIST), Korea University Anam Dong, Sungbuk Gu, Seoul, Korea [email protected] 4Einstein Institute of Mathematics, Hebrew University Jerusalem 91904, Israel [email protected] 5Computer Science Department, Technion Haifa 32000, Israel [email protected]

Abstract. SHACAL-1 is an 80-round block cipher with a 160-bit block size and a key of up to 512 bits. In this paper, we present rectangle at- tacks on the first 51 rounds and a series of inner 52 rounds of SHACAL-1, and also present differential attacks on the first 49 rounds and a series of inner 55 rounds of SHACAL-1. These are the best currently known cryptanalytic results on SHACAL-1 in an one key attack scenario.

Key words: Block cipher, SHACAL-1, Differential cryptanalysis, Am- plified boomerang attack, Rectangle attack

? A shortened version of this paper was published in Proceedings of INDOCRYPT2006 — The Seventh International Conference on Cryptography in India, Kolkata, INDIA, Rana Barua and Tanja Lange (eds), Volume of Lecture Notes in Computer Science, pp., Springer-Verlag, 2006 ?? This author as well as his work was supported by a Royal Holloway Scholarship and the European Commission under contract IST-2002-507932 (ECRYPT). ??? This author was financed by a Ph.D grant of the Katholieke Universiteit Leu- ven and by the Korea Research Foundation Grant funded by the Korean Gov- ernment(MOEHRD) (KRF-2005-213-D00077) and supported by the Concerted Re- search Action (GOA) Ambiorics 2005/11 of the Flemish Government and by the European Commission through the IST Programme under Contract IST2002507932 ECRYPT. † This author was supported by the Adams fellowship. ‡ This author was partially supported by the Israel MOD Research and Technology Unit. 1 Introduction

In 2000, Handschuh and Naccache [10] proposed a 160-bit block cipher SHACAL based on the compression function of the standardized hash function SHA-1 [21]. In 2001, they proposed two versions, known as SHACAL-1 and SHACAL-2 [11], where SHACAL-1 is the same as the original SHACAL, while SHACAL-2 is a 256-bit block cipher based on the compression function of SHA-256 [22]. Both SHACAL-1 and SHACAL-2 were selected for the second phase of the NESSIE (New European Schemes for Signatures, Integrity, and Encryption) project [19]; however, in 2003, SHACAL-1 was not recommended for the NESSIE portfolio because of concerns about its key schedule, while SHACAL-2 was finally selected as one of the NESSIE finalists. Since SHACAL-1 is the compression function of SHA-1 used in encryption mode, there is much significance to investigate its security against different cryptanalytic attacks. The security of SHACAL-1 against differential cryptanalysis [2] and linear cryptanalysis [18] was first analyzed by the proposers. Subsequently, Nakahara Jr. [20] conducted a statistical evaluation of the cipher. In 2002, Kim et al. [16] presented a differential attack on the first 41 rounds of SHACAL-1 with 512 key bits and an amplified boomerang attack on the first 47 rounds of SHACAL-1 with 512 key bits, where the former attack is due to a 30-round differential char- acteristic with probability 2−138, while the latter attack is based on a 36-round amplified boomerang distinguisher (see Table 3 in Appendix A for the two dif- ferentials), which was conjectured by the authors to be the longest distinguisher (i.e., the distinguisher with the greatest number of rounds). However, in 2003, Biham et al. [5] pointed out that the step for judging whether a final candidate subkey is the right one in the amplified boomerang attacks presented in [16] is incorrect due to a flaw in the analysis on the number of wrong quartets that sat- isfy the conditions of a right quartet. They then corrected it with the fact that all the subkeys of SHACAL-1 are linearly dependent on the user key. Finally, by converting the Kim et al.’s 36-round boomerang distinguisher to a 36-round rectangle distinguisher, Biham et al. presented rectangle attacks on the first 47 rounds and two series of inner 49 rounds of SHACAL-1 with 512 key bits. These are the best cryptanalytic results on SHACAL-1 in an one key attack sce- nario, prior to the work described in this paper. Other cryptanalytic results on SHACAL-1 include the following related-key attacks, which require two or four (related) keys: In 2004, Kim et al. [15] presented a related-key rectangle attack on the first 59 rounds. In 2005, Hong et al. [12] presented a related-key rectangle attack on the first 70 rounds. Most recently, Dunkelman et al. [8] presented a related-key rectangle attack on the full 80 rounds of SHACAL-1. Amplified boomerang attack [13], rectangle attack [3], and related-key rect- angle attack [6,12,15] are all variants of the boomerang attack [23]. As a result, they share the same basic idea of using two short differentials with larger prob- abilities instead of a long differential with a smaller probability. But, different from amplified boomerang attack and rectangle attack, related-key rectangle at- tack uses related-key differentials, which requires an additional assumption that the attacker should know or can choose the specific differences between one or two pairs of unknown keys. This additional assumption makes it very difficult or even infeasible to be conducted in most cryptographic applications, though cer- tain current applications may allow for related-key attacks [1], say key-exchange protocols [14]. In this paper, we exploit some better differential characteristics than those previously known in SHACAL-1. More specifically, we exploit a 24-round differ- ential characteristic with probability 2−50 for rounds 0 to 23 such that we con- struct a 38-round rectangle distinguisher with probability 2−302.3. Based on this distinguisher, we mount rectangle attacks on the first 51 rounds and a series of inner 52 rounds of SHACAL-1 with 512 key bits. We also exploit a 34-round dif- ferential characteristic with probability 2−148 for rounds 0 to 33 and a 40-round differential characteristic with probability 2−154 for rounds 30 to 69, which can be used to mount differential attacks on the first 49 rounds and a series of inner 55 rounds of SHACAL-1 with 512 key bits, respectively. The rest of this paper is organised as follows. In the next section, we briefly describe the SHACAL-1 cipher, the amplified boomerang attack and the rectan- gle attack. In Sections 3 and 4, we present rectangle and differential attacks on the aforementioned reduced-round versions of SHACAL-1, respectively. Section 5 concludes this paper.

2 Preliminaries

2.1 The SHACAL-1 Cipher SHACAL-1 [11] uses the compression function of SHA-1 [21], where the plaintext enters the compression function as the chaining value, and the key enters the compression function as the message block. Its encryption procedure can be described as follows,

1. The 160-bit plaintext P is divided into five 32-bit words A0||B0||C0||D0||E0. 2. For i = 0 to 79: Ai+1 = Ki
ROT5(Ai)
fi(Bi,Ci,Di)
Ei
Wi, Bi+1 = Ai, Ci+1 = ROT30(Bi), Di+1 = Ci, Ei+1 = Di. 3. The ciphertext is (A80||B80||C80||D80||E80), 32 where
denotes addition modulo 2 , ROTi(X) represents left rotation of X by i bits, || denotes string concatenation, Ki is the i-th round key, Wi is the i-th 1 round constant, and the function fi is defined as,  f = (B&C)|(¬B&D) 0 ≤ i ≤ 19  if fi(B,C,D) = fxor = B ⊕ C ⊕ D 20 ≤ i ≤ 39, 60 ≤ i ≤ 79  fmaj = (B&C)|(B&D)|(C&D) 40 ≤ i ≤ 59 1 We note that this is the opposite to Refs. [10,11,21]; however, we decide to stick to the common notation Ki as a round subkey. where & denotes the bitwise logical AND, ⊕ denotes the bitwise logical exclu- sive OR (XOR), ¬ denotes the complement, and | represents the bitwise OR operations. The key schedule of SHACAL-1 takes as input a variable length key of up to 512 bits; Shorter keys can be used by padding them with zeros to produce a 512-bit key string, however, the proposers recommend that the key should not be shorter than 128 bits. The 512-bit user key K is divided into sixteen 32-bit words K0,K1, ··· ,K15, which are the round keys for the first 16 rounds. Each of the remaining round keys is generated as Ki = ROT1(Ki−3 ⊕Ki−8 ⊕Ki−14 ⊕Ki−16).

2.2 Amplified Boomerang and Rectangle Attacks Amplified boomerang attack treats a block cipher E : {0, 1}n ×{0, 1}k → {0, 1}n as a cascade of two sub-ciphers E = E1 ◦ E0. It assumes that there exist two differentials: one differential α → β through E0 with probability p (i.e., P r[E0(X) ⊕ E0(X∗) = β|X ⊕ X∗ = α] = p), and the other differential γ → δ through E1 with probability q (i.e., P r[E1(X) ⊕ E1(X∗) = δ|X ⊕ X∗ = γ] = q), −n/2 with p and q satisfying p · q  2 . Two pairs of plaintexts (P1,P2 = P1 ⊕ α) and (P3,P4 = P3 ⊕ α) is called a right quartet if the following three conditions hold: 0 0 0 0 C1: E (P1) ⊕ E (P2) = E (P3) ⊕ E (P4) = β; 0 0 0 0 C2: E (P1) ⊕ E (P3) = E (P2) ⊕ E (P4) = γ; 1 0 1 0 1 0 1 0 C3: E (E (P1)) ⊕ E (E (P3)) = E (E (P2)) ⊕ E (E (P4)) = δ. If we take N pairs of plaintexts with the difference α, then we have ap- proximately N · p pairs with the output difference β after E0, which generate (N·p)2 about 2 candidate quartets. Assuming that the intermediate values after 0 0 0 E distribute uniformly over all possible values, we get E (P1) ⊕ E (P3) = γ −n 0 0 with probability 2 . Once this occurs, E (P2) ⊕ E (P4) = γ holds as well, as 0 0 0 0 0 0 0 0 E (P2) ⊕ E (P4) = E (P1) ⊕ E (P2) ⊕ E (P3) ⊕ E (P4) ⊕ E (P1) ⊕ E (P3) = γ. 2 (N·p) −n 2 As a result, the expected number of right quartets is about 2 · 2 · q = N 2 · 2−n−1 · (p · q)2. On the other hand, for a random cipher, the expected num- ber of right quartets is approximately N 2 · 2−2n. Therefore, if p · q > 2−n/2 and N is sufficiently large, the amplified boomerang distinguisher can effectively distinguish between E and a random cipher with an enough bias. Rectangle attack achieves advantage over an amplified boomerang attack by allowing β to take any possible value β0 in E0 and γ to take any possible value γ0 in E1, as long as β0 6= γ0. Starting with N pairs of plaintexts with the difference α, the expected number of right quartets is about N 2 · (p · q)2 · 2−n, where 1 1 b b P 2 0 2 P 2 0 2 pb = ( β0 P r (α → β )) , qb = ( γ0 P r (γ → δ)) .

3 Rectangle Attacks on Reduced-Round SHACAL-1

We exploit a 24-round differential characteristic with probability 2−50 for rounds 0–23: (e29, 0, 0, 0, e2,7) → (e14,29, e9,31, e2, e29, 0). Table 4 in Appendix A de- scribes the full differential. • By combining the 24-round differential with a differential composed of rounds 24–35 of the second differential of [16] (which has probability 2−20 in these rounds), a 36-round distinguisher with probability 2−300(= (2−50 · 2−20)2 · 2−160) is obtained, gaining a factor of 212 over the probability of the most powerful currently known 36-round one due to Kim et al.. • By combining the 24-round differential with a differential composed of rounds 23–35 of the second differential of [16] (which has probability 2−24 in these rounds), a 37-round distinguisher with probability 2−308(= (2−50 · 2−24)2 · 2−160) is obtained. • By combining the 24-round differential with a differential composed of rounds 21–34 of the second differential of [16] (which has probability 2−27 in these rounds), a 38-round distinguisher with probability 2−314(= (2−50 · 2−27)2 · 2−160) is obtained.

These amplified boomerang distinguishers can be used to mount amplified boomerang attacks on certain reduced-round versions of SHACAL-1 with differ- ent lengths of user keys. Nevertheless, due to the nature that all the possible β and γ (as long as they are different) can be used in a rectangle distinguisher, these amplified boomerang distinguishers can be converted into rectangle distin- guishers so that the resultant rectangle attacks can work more efficiently. Here, we will just present rectangle attacks on SHACAL-1 with 512 key bits based on the 38-round distinguisher.

3.1 Attacking Rounds 0 to 50

1 0 0 Let Ef ◦E ◦E be the 51-round SHACAL-1 with 512 key bits, where E denotes 1 rounds 0 to 23, E denotes rounds 24 to 37, and Ef denotes rounds 38 to 50. To compute pb (resp., qb) (defined in Section 2.2) in such an attack, we need to summarize all the possible output differences β0 for the input difference α through E0 (resp., all the possible input differences γ0 having an output differ- ence δ through E1), which is computationally infeasible. As a countermeasure, we can count as many such possible differentials as we can. For simplicity, we compute pb by just counting the 24-round differentials that only have variable output differences (∆A24, e9,31, e2, e29, 0) compared with the 2 z }| { 24-round differential, where ∆A24 is an element from the set {(0, ··· , 0, 1, ··· , 1, | {z } m 14 9 z }| { z }| { 1, 0, ··· , 0, 1, ··· , 1, 1, 0, ··· , 0, 1, ··· , 1, 0, 0, 0, 0, 0)|0 ≤ m ≤ 2, 0 ≤ j ≤ 14, 0 ≤ | {z } | {z } j k k ≤ 9}, for such an output difference with the form is possible for the input difference (e9,31, e4, e29, 0, 0) to round 23. It was shown in [17] that the following Theorem 1 holds for the addition difference, Theorem 1. [17] Given three 32-bit differences ∆X, ∆Y and ∆Z. If the prob- ability P rob[(∆X, ∆Y ) →
∆Z] > 0, then

P rob[(∆X, ∆Y ) →
∆Z] = 2s, where the integer s is given by s = #{i|0 ≤ i ≤ 30, not((∆X)i = (∆Y )i = (∆Z)i)}.

−49.39 Thus, we can compute a loose lower bound pb = 2 by only counting the 46 differentials with k + j + m ≤ 5; when k + j + m > 5 the contribution is negligible. We note that the more the counted possible differentials, the better the resultant pb, but according to our results the improvement is negligible. −30.28 Biham et al. [5] got a lower bound qb in their attack as qb = 2 by only changing the first one or two rounds in the Kim et al.’s second differential. Since our 38-round distinguisher just uses the first 14 rounds from round 21 to 34 in the Kim et al.’s second differential, throwing round 35 away, therefore, −26.28 −30.28 4 2 (= 2 · 2 ) is the right value for the qb in our attack. Now, we conclude that the distinguisher holds a lower bound probability 2−311.34(≈ (2−49.39 · 2−26.28)2 · 2−160). However, we can adopt the following two techniques to further reduce the complexity of the attack:

∗ ∗ ∗ T1) Fix the four fixed bits a9 = a9 = 0, b9 = b9 = 0, b31 = b31 = 0 ∗ and c29 = c29 = 0 in any pair of plaintexts P = (A, B, C, D, E) and ∗ ∗ ∗ ∗ ∗ ∗ P = (A ,B ,C ,D ,E ), where xi is the i-th bit of X. This increases the probability of the characteristic in the first round by a factor of 4. Thus, a lower bound probability 2−47.39(= 22 · 2−49.39) is obtained for the above 46 possible 24-round differentials with such four bits fixed in any pair. T2) Count many possible 14-round differentials γ0 → δ0 for each input difference γ0 to round 24 in our distinguisher. For expediency, we count those 14-round differentials that only have variable output differences (∆A38, e9,31, e2, e29, 0) compared with the 14-round differential from round 21 to 34 in the Kim et al.’s second differential. In our observation on this 1-round difference, there −3 are at least two possible ∆A38 (i.e., e29, e14,29) with probability 2 , four pos- −4 sible ∆A38 (i.e., e5,14,29, e14,15,29, e14,29,30, e14,29,30,31) with probability 2 , and seven possible ∆A38 (i.e., e5,14,29,30,31, e14,15,29,30,31, e5,6,14,29, e5,14,15,29, −5 e14,15,16,29, e5,14,29,30, e14,15,29,30) with probability 2 . We denote the set of these 13 differences by S. Thus, these 13 possible 14-round differentials hold a lower bound probability of 2−23.76(≈ 2 · 2−26.28 + 4 · 2−27.28 + 7 · 2−28.28).

Finally, this rectangle distinguisher holds a lower bound probability 2−302.3(≈ (2−47.39 ·2−23.76)2 ·2−160) for the right key, while it now holds with a probability of 2−312.6(≈ (2−160 · (2 + 4 + 7))2) for a wrong key. The number of available plaintext pairs decreases to 2155 due to the four fixed bits. Consequently, we can apply this rectangle distinguisher to break the first 51 rounds of SHACAL-1. Attack procedure 152.65 1. Choose 2 pairs of plaintexts with difference α = (e29, 0, 0, 0, e2,7) and 0 152.65 four fixed bits as described above: (Pi,Pi ), for i = 1, 2, ··· , 2 . Ask for their encryption under 51-round SHACAL-1 to obtain their corresponding 0 152.65 305.3 ciphertext pairs (Ci,Ci). The 2 pairs generate about 2 candidate quartets ((P ,P 0 ), (P ,P 0 )), where 1 ≤ i , i ≤ 2152.65. i1 i1 i2 i2 1 2 2. Guess a 352-bit key Kf for rounds 40 to 50 in Ef , do follows, 0 2.1 Partially decrypt all the ciphertext pairs (Ci,Ci) with Kf to get their intermediate values just before round 40: (E−1 (C ),E−1 (C0)). Then, Kf i Kf i for each quartet ((C ,C0 ), (C ,C0 )), check if both the two 96-bit dif- i1 i1 i2 i2 ferences in words C, D and E positions of E−1 (C ) ⊕ E−1 (C ) and Kf i1 Kf i2 E−1 (C0 ) ⊕ E−1 (C0 ) belong to the set {(u, e , e )|ROT (u) ∈ S}. If Kf i1 Kf i2 7,29 2 30 the number of the quartets passing this test is greater than or equal to 6, then go to Step 2.2; Otherwise, repeat Step 2 with another guess for Kf . 2.2 Guess a 32-bit subkey K39 for round 39, and then decrypt each remain- ing quartet ((E−1 (C ),E−1 (C0 )), (E−1 (C ),E−1 (C0 ))) with K to Kf i1 Kf i1 Kf i2 Kf i2 39 get their intermediate values just before round 39: ((E−1 (E−1 (C )), K39 Kf i1 E−1 (E−1 (C0 ))), (E−1 (E−1 (C )),E−1 (E−1 (C0 )))). We denote them K39 Kf i1 K39 Kf i2 K39 Kf i2 by ((X ,X0 ), (X ,X0 )). Finally, check if both the two 128-bit differ- i1 i1 i2 i2 ences in words B, C, D and E positions of X ⊕ X and X0 ⊕ X0 i1 i2 i1 i2 belong to the set {(u, e7,29, e2, e29)}. If the number of the quartets pass- ing this test is greater than or equal to 6, then go to Step 2.3; Otherwise, repeat this step with another guess for K39 (If all the values of K39 fail, then go to Step 2). 2.3 Guess a 32-bit subkey K38 for round 38, and then decrypt each remain- ing quartet ((X ,X0 ), (X ,X0 )) with K to get their intermediate i1 i1 i2 i2 38 values just before round 38: ((E−1 (X ),E−1 (X0 )), (E−1 (X ),E−1 K38 i1 K38 i1 K38 i2 K38 (X0 ))). We denote them by ((X , X0 ), (X , X0 )). Finally, check if i2 i1 i1 i2 i2 0 0 both the two 160-bit differences Xi1 ⊕ Xi2 and X i1 ⊕ X i2 belong to the set {(u, e7,29, e2, e29, 0)}. If the number of the quartets passing this test is greater than or equal to 6, then record (Kf ,K38,K39) and go to Step 3; Otherwise, repeat this step with another guess for K38 (If all the values of K38 fail, then go to Step 2.2; If all the values of K39 fail, then go to Step 2). 3. For a suggested (K38,K39,Kf ), exhaustively search the remaining 96 key bits using trial encryption. Three known pairs of plaintexts and ciphertexts are enough for this trial process. If a 512-bit key is suggested, output it as the master key of the 51-round SHACAL-1. Otherwise, go to Step 2. This attack requires 2153.65 chosen plaintexts. The required memory for this attack is dominated by the ciphertext pairs, which is about 2153.65 · 20 ≈ 2157.97 memory bytes. The time complexity of Step 1 is 2153.65 51-round SHACAL-1 encryptions; The time complexity of Step 2.1 is dominated by the partial decryptions, which is 352 153.65 11 503.44 about 2 · 2 · 51 ≈ 2 . In Step 2.1, since the probability that a quartet 13 2 −184.6 meets the filtering condition in this step is ( 296 ) ≈ 2 , the expected number of the quartets passing the test for each subkey candidate is 2305.3 · 2−184.6 ≈ 2120.7, and it is evident that the probability that the number of quartets passing the test for a wrong subkey is no less than 6 is about 1. Thus, almost all the 2352 subkeys pass through Step 2.1. In Step 2.2, the time complexity is about 352 32 120.7 1 501.03 2 · 2 · 2 · 4 · 51 ≈ 2 . In this step, since the probability that a remaining quartet meets the filtering condition in this step is 2−32 ·2−32 ≈ 2−64, the expected number of the quartets passing the test for each subkey candidate is 2120.7 · 2−64 ≈ 256.7. Again, almost all the 2384 subkeys pass through Step 384 32 56.7 1 469.03 2.2. In Step 2.3, the time complexity is about 2 · 2 · 2 · 4 · 51 ≈ 2 . In this step, since the probability that a remaining quartet meets the filtering condition in this step is also 2−64, the expected number of the quartets passing the test for each subkey candidate is 256.7 · 2−64 ≈ 2−7.3, and the probability that the number of quartets passing the test for a wrong subkey is no less than 56.7 P2 256.7
−64 i −64 256.7−i −53.29 6 is about i=6 ( i · (2 ) · (1 − 2 ) ) ≈ 2 . Thus, on average, about 2416 · 2−53.29 = 2362.71 subkeys pass through Step 2.3, which result in 2362.71·296 ≈ 2458.71 51-round encryptions in Step 3. Therefore, this attack totally requires about 2153.65 + 2503.44 + 2501.03 + 2469.03 + 2458.71 ≈ 2503.7 encryptions. Since the probability that a wrong 512-bit key is suggested in Step 3 is about 2−480(= 2−160·3), the expected number of suggested wrong 512-bit keys is about 2−480 · 2458.71 ≈ 2−21.29, which is quite low. While the expected number of quartets passing the difference test in Step 2.5 for the right key is 8 (= 2305.3 · 2−302.3), and the probability that the number of quartets passing the difference P2305.3 2305.3
test in Step 2.5 for the right subkey is no less than 6 is about i=6 ( i · 305.3 (2−302.3)i · (1 − 2−302.3)2 −i) ≈ 0.81. Therefore, with a probability of 0.81, we can break the 51-round SHACAL-1 with 512 key bits by using the amplified boomerang attack, faster than an exhaustive search.

3.2 Attacking Rounds 28–79

A generic key recovery algorithm based on a rectangle distinguisher was first presented by Biham et al. in [4] and then updated in [7] recently, which treats a n k n 1 0 0 block cipher E : {0, 1} × {0, 1} → {0, 1} as E = Ef ◦ E ◦ E ◦ Eb, where E 1 and E constitute the rectangle distinguisher, while Eb and Ef are some rounds before and after the rectangle distinguisher, respectively. In this subsection, we will use their results to break the 52 rounds from round 28 to 79 of SHACAL-1. To apply the generic attack procedure [4], we need to determine the following six parameters:

• mb: the number of subkey bits in Eb to be attacked. • mf : the number of subkey bits in Ef to be attacked. • rb: the number of bits that are active or can be active before the attacked round, given that a pair has the difference α at the entrance of the rectangle distinguisher. • rf : the number of bits that are active or can be active after the attacked round, given that a pair has the difference δ at the output of the rectangle distinguisher. • 2tb : the number of possible differences before the attacked round, given that a pair has the difference α at the entrance of the rectangle distinguisher. • 2tf : the number of possible differences after the attacked round, given that a pair has the difference δ at the output of the rectangle distinguisher.

Our attack is applied in the backward direction, that is to say, it is a chosen ciphertext attack. Anyway, as the data requirement of the attack is the entire code book, it can be easily used as a known plaintext attack. 0 1 Let Eb denote round 79, E denote rounds 64 to 78, E denote rounds 41 to 63, and Ef denote rounds 38 to 40. We first describe the two differentials to be used in this rectangle distinguisher. By cyclically rotating the last 23- round differential in the 24-round differential to the right by 9 bit positions, we −49 can get a 23-round differential with probability q = 2 :(e30, e20, 0, 0, 0) → 1 (e5,20, e0,22, e25, e20, 0). This 23-round differential is used in E , while the Kim et al.’s second differential with probability p = 2−31 in Table 3 is used in E0. −47.77 Similarly, we can compute a lower bound probability qb = 2 for the 23- round differentials that only have variable output differences compared with the 23-round differential described above. As mentioned before, a lower bound −30.28 pb = 2 has been got by only changing the first one or two rounds in the Kim et al.’s second differential. Therefore, this 38-round rectangle distinguisher holds at least a probability of 2−316.1(≈ (2−47.77 · 2−30.28)2 · 2−160) for the right key, while it holds probability 2−320 for a wrong key. As we attack one round (i.e., round 79) before the distinguisher, we can compute mb, rb, and tb as follows: There is only one 32-bit subkey K79 in Eb, therefore, mb = 32. A pair with a difference (e9,19,29,31, e14,29, e7,29, e2, e29) before round 79 has a difference with the form (R, e9,19,29,31, e12,27, e7,29, e2) after round 79. Obviously, the bit differences in the three least significant bits of R will definitely be 0, while the bit differences in the other 29 bit positions will be variable. As a result, rb = 29 + 4 + 2 + 2 + 1 = 38. In our analysis, R has exactly 15648 15648 possible values. So, tb = log2 ≈ 13.9. There are three rounds (i.e., rounds 38 to 40) after the distinguisher, thus mf = 96. A pair that has a difference (e30, e20, 0, 0, 0) before round 41 has a difference with the form (e20, 0, 0, 0,S) before round 40, where S has the following 12 possible values: e25,30, e25,30,31, e25,26,30, e25,26,30,31, e25,26,27,30, e25,26,27,30,31, e25,26,27,28,30, e25,26,27,28,30,31, e25,26,27,28,29,30, e25,26,27,28,29,30,31, e25,26,27,28,29,31, e25,26,27,28,29. These differences can be reached from a difference with the form (0, 0, 0, S, T ) before round 39, where T has bits 20 to 31 active, of which bits 21 to 24 must take one of the five possible values 1x, 3x, 7x,Fx, and 1Fx according to the carry, while bits 25 to 31 cannot be predicted as they all depend on the exact value of S. This set of differences can be caused by differences with the form (0, 0, S, T, U) before round 38, where U has bits 20 to 31 active. Thus, 7 12 rf = 7 + 12 + 12 = 31, and there are at most 12 · (5 · 2 ) · 2 = 31457280 possible differences with the form (0, 0, S, T, U) before round 38, so tf = log2(31457280) ≈ 24.9. Assigning these parameters to the Biham et al.’s generic attack procedure leads to a rectangle attack on rounds 38 to 79. Then, with an exhaustive key search for the remaining 10 rounds, we can attack 52-round SHACAL-1. The attack procedure is summarized as follows.

Attack procedure

(a) Based on the above 38-round rectangle distinguisher, apply the Biham et al.’s generic attack procedure [7] on the 42 rounds from round 38 to 79 of SHACAL-1. Output the four 32-bit subkey candidates for rounds 38, 39, 40 and 79 with the maximal counter number. (b) Find the ten 32-bit subkeys for rounds 28 to 37 using an exhaustive search.

According to [7], the time complexity of Step (a) in our attack is about 2mb+mf +1 + N + N 2 · (2rf −n−1 + 2tf −n−1 + 22tf +2rb−2n−3 + 2mb+tb+2tf −2n−2 + 2mf +tf +2tb−2n−2) = 2129 + 2160 + 2320 · (231−161 + 224.9−161 + 22·24.9+2·38−323 + 232+13.9+2·24.9−322 + 296+24.9+2·13.9−322) ≈ 2190.02 memory accesses. In Step (b), by guessing the subkeys of rounds 28 to 37, it is possible to partially encrypt all the plaintexts and then apply the previous Step (a). Each subkey guess requires 2160 partial encryptions and 2190.02 memory accesses, therefore, the total time 320 160 10 477.6 320 complexity is 2 · 2 · 52 ≈ 2 52-round SHACAL-1 encryptions and 2 · 2190.02 = 2510.02 memory accesses.

Note: There exists another attack on the 52 rounds from round 28 to 79, which is composed of a similar rectangle attack on rounds 35 to 77, followed by an exhaus- tive search on the 288-bit subkeys of rounds 28 to 34, 78 and 79. Let Eb denote 0 1 round 77, E denote rounds 64 to 76, E denote rounds 38 to 63, and Ef denote rounds 35 to 37. For E0 we use the 13-round differential composed of rounds 23 to 35 in the second differential of [16], which holds probability p = 2−24. The 26-round differential (0, 0, e19,24, e14,19,24, e14) → (e14,31, e16,26, e19, e14, 0) with probability q = 2−55 is used in E1, which is obtained by cyclically rotating the 24-round differential to the left by 17 bit positions and appending two more rounds before the input. We computed a lower bound on the related probabil- −23.48 −53.77 ities pb = 2 and qb = 2 . Therefore, the distinguisher holds at least a probability of 2−314.5(≈ (2−53.77 ·2−23.48)2 ·2−160) for the right key, while it holds −320 probability 2 for a wrong key. As before we computed that mb = 32, rb = 38, ( 13 18 tb = 13.9, mf = 96, rf = 12+17+18 = 47, and tf = log29·64·12·2 ·2 ) ≈ 43.8. Finally, we can break 52-round SHACAL-1. According to [7], the data complexity n +2 80+53.77+23.48+2 159.25 is N = 2 2 /(pb · qb) = 2 = 2 chosen plaintexts/ciphertexts with difference (e9,19,29,31, e14,29, e7,29, e2, e29) before round 76, however, this can- not be guaranteed if we start with chosen ciphertexts. Alternatively, we apply the attack as a known plaintext attack. With 2159.625 known plaintexts, we can get 2318.25 pairs, of which about 2158.25(= 2318.25 · 2−160) would have the desired 288 159.625 9 445.1 difference. This attack requires 2 · 2 · 52 ≈ 2 encryptions and the time complexity is about 2288 · [2mb+mf +1 + N + N 2 · (2rf −n−1 + 2tf −n−1 + 22tf +2rb−2n−3 + 2mb+tb+2tf −2n−2 + 2mf +tf +2tb−2n−2)] = 2288 · [2129 + 2159.25 + 2318.5 · (2−114 + 2−117.2 + 2−157.4 + 2−185 + 2−147.4) ≈ 2204.65] = 2492.65 memory accesses.

4 Differential Attacks on Reduced-Round SHACAL-1

The 24-round differential can be extended to a 30-round differential character- istic (e29, 0, 0, 0, e2,7) → (e0,4,12,17,24,25,27,29, e7,17,19,31, e0,5,15,27,30, e5,17,25,27,29, −93 e2,5,22,27) with probability 2 , which has a significantly higher probability than the longest currently known (30-round) differential with probability 2−138 due to Kim et al.. More importantly, it can be extended to as long as a 34-round differen- tial (e29, 0, 0, 0, e2,7) → (e0,5,7,12,13,15,17,20,28,29, e5,7,9,23,25,29, e3,12,15,18,20,25,27,30, −148 e5,7,13,15,17,23,25,29, e2,10,15,22,23,25,27,30) with probability 2 . See Table 5 in Appendix A for more details. These differentials with different rounds can be used to attack reduced round variants of SHACAL-1. Here, we just present the differential attack on 55-round SHACAL-1 with 512 key bits based on the 34-round differential.

4.1 Attacking Rounds 15–69

The 34-round differential can be applied to the 34 rounds from round 40 to 73, due to the differential distribution of the two functions fif and fmaj. Then, by appending 10 more rounds before round 40 and removing the last 4 rounds in the above 34-round differential, we exploit a 40-round differential characteristic with −154 probability 2 for rounds 30 to 69: (e4,8,11,13,16, e3,8,11,13,31, e1,6,11,16,21,29,31, e1,4,8,11,13,16,21, e3,9,11,13,16,18,21,29,31) → (e0,4,12,17,24,25,27,29, e7,17,19,31, e0,5,15,27,30, e5,17,25,27,29, e2,5,22,27). See Table 6 in Appendix A. This 40-round differential can be used to mount a chosen ciphertext attack on the 55 rounds from round 15 to 69. By counting the 30 possible 40-round differentials that only have variable input differences (e4,8,11,13,16, e3,8,11,13,31, e1,6,11,16,21,29,31, e1,4,8,11,13,16,21, ∆E30) compared with the 40-round differential described above (where ∆E30 are shown in Table 1), we can conclude these 40- round differentials hold a lower bound probability 2−150(= 2 · 2−154 + 28 · 2−155) for a right key, while they hold a probability of 2−155.09(≈ 30·2−160) for a wrong key. Consequently, we can break the 55-round SHACAL-1 as follows.

Attack procedure

153 1. Choose 2 pairs of ciphertexts with difference (e0,4,12,17,24,25,27,29, e7,17,19,31, 0 153 e0,5,15,27,30, e5,17,25,27,29, e2,5,22,27): (Ci,Ci), for i = 1, ··· , 2 . Decrypt them 0 to get their corresponding plaintext pairs (Pi,Pi ). 2. Guess a 352-bit key Kf for rounds 15 to 25, do follows, Table 1. Possible input differences ∆E30 in Round 30 with their respective probabil- ities

Prob. ∆E30 −154 2 e3,9,11,13,16,18,21,29,31, e3,4,9,11,13,16,18,21,29,31 e3,4,5,9,11,13,16,18,21,29,31, e3,5,9,11,13,16,18,21,29,31, e3,5,6,9,11,13,16,18,21,29,31, e3,4,5,6,9,11,13,16,18,21,29,31, e3,7,9,11,13,16,18,21,29,31, e3,4,7,9,11,13,16,18,21,29,31, e3,9,10,11,13,16,18,21,29,31, e3,4,9,10,11,13,16,18,21,29,31, e3,9,10,13,16,18,21,29,31, e3,4,9,10,13,16,18,21,29,31, e3,9,11,12,13,16,18,21,29,31, e3,4,9,11,12,13,16,18,21,29,31, −155 2 e3,9,11,12,16,18,21,29,31, e3,4,9,11,12,16,18,21,29,31, e3,9,11,13,14,16,18,21,29,31, e3,4,9,11,13,14,16,18,21,29,31, e3,9,11,13,16,17,18,21,29,31, e3,4,9,11,13,16,17,18,21,29,31, e3,9,11,13,16,17,21,29,31, e3,4,9,11,13,16,17,21,29,31, e3,9,11,13,16,18,19,21,29,31, e3,4,9,11,13,16,18,19,21,29,31, e3,9,11,13,16,18,21,22,29,31, e3,4,9,11,13,16,18,21,22,29,31, e3,9,11,13,16,18,21,29,30,31, e3,4,9,11,13,16,18,21,29,30,31, e3,9,11,13,16,18,21,29,30, e3,4,9,11,13,16,18,21,29,30

0 2.1 Partially encrypt each pair (Pi,Pi ) using Kf to get their intermediate 0 values just after round 25: (EKf (Pi),EKf (Pi )). Then, check if the 32-bit 0 difference ∆A26 in EKf (Pi)⊕EKf (Pi ) belongs to {ROT2(∆E30)|∆E30 are 0 those in T able 1}. If the number of the pairs (Pi,Pi ) passing this test is greater than or equal to 6, then record Kf and all the qualified pairs 0 (Pi,Pi ) and go to Step 2.2; Otherwise, repeat this step with another Kf . 2.2 Guess a 32-bit subkey K26 for round 26, then partially encrypt each pair 0 (EKf (Pi),EKf (Pi )) with K26 to get their intermediate values just after 0 round 26. We denote these values by (Xi,Xi). Finally, check if the 64-bit 0 difference (∆A27, ∆B27) in Xi ⊕Xi belongs to {(e3,6,10,13,15,18,23,ROT2( 0 ∆E30))}. If the number of the pairs (EKf (Pi),EKf (Pi )) passing this test is greater than or equal to 6, then record (Kf ,K26) and all the 0 qualified pairs (Xi,Xi) and go to Step 2.3; Otherwise, repeat this step with another K26. 2.3 Guess a 32-bit subkey K27 for round 27, then partially encrypt each re- 0 maining pair (Xi,Xi) with K27 to get their intermediate values just after 0 round 27. We denote them by (Xi, Xi). Finally, check if the 96-bit differ- 0 ence (∆A28, ∆B28, ∆C28) in Xi⊕Xi belongs to the set {(e1,3,8,13,18,23,31, 0 e3,6,10,13,15,18,23,ROT2(∆E30))}. If the number of the pairs (Xi,Xi) pass- ing this test is greater than or equal to 6, then record (Kf ,K26,K27) and 0 all the qualified pairs (Xi, Xi) and go to Step 2.4; Otherwise, repeat this step with another K27. 2.4 Guess a 32-bit subkey K28 for round 28, then partially encrypt each re- 0 maining pair (Xi, Xi) with K28 to get their intermediate values just after 0 round 28. We denote them by (Xbi, Xbi). Finally, check if the 128-bit dif- 0 ference (∆A29, ∆B29, ∆C29, ∆D29) in Xbi ⊕ Xbi belongs to {(e3,8,11,13,31, e1,3,8,13,18,23,31, e3,6,10,13,15,18,23,ROT2(∆E30))}. If the number of the pairs 0 (Xi, Xi) passing this test is greater than or equal to 6, then record 0 (Kf ,K26,K27,K28) and all the qualified pairs (Xbi, Xbi) and go to Step 2.5; Otherwise, repeat this step with another K28. 2.5 Guess a 32-bit subkey K29 for round 29, then partially encrypt each re- 0 maining pair (Xbi, Xbi) with K29, and finally check if the 160-bit difference 0 EK29 (Xbi)⊕EK29 (Xbi) belongs to {(e4,8,11,13,16, e3,8,11,13,31, e1,3,8,13,18,23,31, 0 e3,6,10,13,15,18,23,ROT2(∆E30))}. If the number of the pairs (Xbi, Xbi) pass- ing this test is greater than or equal to 6, then record (Kf ,K26,K27,K28, K29); Otherwise, repeat Step 2 with another 352-bit key. 3. For a suggested (Kf ,K26,K27,K28,K29), do an exhaustive search for the remaining 32 key bits using trial encryption. Four known pairs of plaintexts and ciphertexts are enough for this trial process. If a 512-bit key is suggested, output it as the master key of the 55-round SHACAL-1; Otherwise, repeat Step 2 with another 352-bit key.

This attack requires 2154 chosen plaintexts. The memory for this attack is also dominated by the ciphertext pairs, so it requires about 2154 · 20 ≈ 2158.32 memory bytes. The time complexity of Step 1 is 2154 55-round SHACAL-1 encryptions; The time complexity of Step 2.1 is dominated by the partial decryptions, which is 352 154 11 503.68 about 2 ·2 · 55 ≈ 2 . In Step 2.1, since the probability that a pair meets 30 −27.09 the filtering condition in this step is 232 ≈ 2 , the expected number of the pairs passing the test for each subkey candidate is 2153 ·2−27.09 ≈ 2125.91, and the probability that the number of pairs passing this test for a wrong subkey is no less 153 P2 2153
−27.09 i −27.09 2153−i than 6 is about i=6 ( i ·(2 ) ·(1−2 ) ) ≈ 1. Thus, almost all the 2352 subkeys pass through Step 2.1. In Step 2.2, the time complexity is about 352 32 125.91 1 505.13 2 ·2 ·2 ·2· 55 ≈ 2 . In this step, since the probability that a remaining pair meets the filtering condition in this step is 2−32, the expected number of the pairs passing the test for each subkey candidate is 2125.91 ·2−32 ≈ 293.91, and the probability that the number of pairs passing the test for a wrong subkey is no less 125.91 P2 2125.91
−32 i −32 2125.91−i than 6 is about i=6 ( i · (2 ) · (1 − 2 ) ) ≈ 1. Thus, almost all the 2384 subkeys pass through Step 2.2. Similarly, we can get that the time complexity in either of Step 2.3, 2.4 and 2.5 is also 2505.13; Besides, almost all the 2448 subkeys pass through Step 2.4, and the expected number of the pairs passing the test in Step 2.4 for each subkey candidate is 293.91 · 2−32×2 ≈ 229.91. In Step 2.5, since the probability that a remaining pair meets the filtering condition in this step is also 2−32, the expected number of the pairs passing the test for each subkey candidate is 229.91 · 2−32 ≈ 2−2.09, and the probability that the number of pairs passing the test for a wrong subkey is no less than 6 is 29.91 P2 229.91
−32 i −32 229.91−i −22.03 about i=6 ( i · (2 ) · (1 − 2 ) ) ≈ 2 . Thus, on average, about 2448 · 232 · 2−22.03 ≈ 2457.97 subkeys pass through Step 2.5, which result in 2457.97 ·232 ≈ 2489.97 encryptions in Step 3. Therefore, this attack totally requires about 2154 + 2503.68 + 4 · 2505.13 + 2489.97 ≈ 2507.26 encryptions. Since the probability that a wrong 512-bit key is suggested in Step 3 is about 2−640(= 2−160·4), the expected number of suggested wrong 512-bit keys is about 2−640 · 2489.97 ≈ 2−150.03, which is extremely low. The expected number of the pairs passing the test in Step 2.5 for the right key is 8 (= 2153 · 2−150) and the probability that the number of the pairs passing the test in Step 2.5 for the right 153 P2 2153
−150 i −150 2153−i subkey is no less than 6 is about i=6 ( i · (2 ) · (1 − 2 ) ) ≈ 0.8. Therefore, with a probability of 0.8, we can break the 55-round SHACAL-1 with 512 key bits by using the differential attack.

4.2 Attacking Rounds 0–48

The 34-round differential in Table 5 can be used to mount a chosen-plaintext dif- ferential attack on the first 49 rounds of SHACAL-1 with a 512-bit key. By count- ing the 64 possible 34-round differentials that have only variable output differ- ences (e0,5,7,12???,17,20,28???, e5,7,9,23,25,29, e3,12,15,18,20,25,27,30, e5,7,13,15,17,23,25,29, e2,10,15,22,23,25,27,30) compared with the one in Table 5, we can learn that they hold a probability of 2−138(= 64 · 22 · 2−148) for the right key, and hold a prob- ability of 2−154(= 64 · 2−160) for a wrong key, where “i???” (i = 12, 28) means that the bit in i position takes 1 and each of the three bits in i + 1, i + 2 and i + 3 positions takes an arbitrary value from {0, 1}. Similarly, using 2141 pairs of plaintexts with difference (e29, 0, 0, 0, e2,7) and such four fixed bits as described in Section 3.1, the attack requires about 2146.32(≈ 2142 · 20) memory bytes and 496.45 352 142 11 384 141 64 1 2 (≈ 2 · 2 · 49 + 4 · 2 · 2 · 232 · 2 · 49 ) encryptions.

Table 2. Comparison of our new results and the previous ones on SHACAL-1 in an one key scenario

T ype of Attack Rounds Data T ime Source 41(0 − 40) 2141CP 2491 [16] Differential cryptanalysis 49(0 − 48) 2142CP 2496.45 This paper 55(15 − 69) 2154CC 2507.26 This paper Amplified boomerang attack 47(0 − 46) 2158.5CP 2508.4 [16] 47(0 − 46) 2151.9CP 2482.6 [5] 49(29 − 77) 2151.9CP 2508.5 [5] Rectangle attack 49(22 − 70) 2151.9CP 2508.5 [5] 51(0 − 50) 2153.65CC 2503.7 This paper 52(28 − 79) 2160CC 2510.02MA This paper 52(28 − 79) 2159.625KP 2492.65MA This paper CP: Chosen plaintexts, CC: Chosen ciphertexts, KP: Known plaintexts Time unit: Encryption, MA: Memory access

5 Conclusions

In this paper, we exploit some better rectangle distinguishers and differential characteristics than those previously known in SHACAL-1. Based on them, we finally mount rectangle attacks on the first 51 rounds and a series of inner 52 rounds of SHACAL-1, and mount differential attacks on the first 49 rounds and a series of inner 55 rounds of SHACAL-1. These are the best currently known cryptanalytic results on SHACAL-1 in an one key attack scenario. Table 2 compares our new cryptanalytic results with the previous chosen plaintext or ciphertext results on SHACAL-1 with 512 key bits.

Acknowledgments

The authors are very grateful to Jiqiang Lu’s supervisor Prof. Chris Mitchell for his valuable editorial comments and to the anonymous referees for their comments. Jiqiang Lu would like to thank Prof. Eli Biham for his help.

References

1. E. Biham, New types of cryptanalytic attacks using related keys, Advances in Cryptology — EUROCRYPT’93, T. Helleseth (ed.), Volume 765 of Lecture Notes in Computer Science, pp. 398–409, Springer-Verlag, 1993. 2. E. Biham and A. Shamir, Differential cryptanalysis of the Data Encryption Stan- dard, Springer-Verlag, 1993. 3. E. Biham, O. Dunkelman, and N. Keller, The rectangle attack — rectangling the Serpent, Advances in Cryptology — EUROCRYPT’01, B. Pfitzmann (ed.), Volume 2045 of Lecture Notes in Computer Science, pp. 340–357, Springer-Verlag, 2001. 4. E. Biham, O. Dunkelman, and N. Keller, New results on boomerang and rectangle attacks, Proceedings of FSE’02, J. Daemen and V. Rijmen (eds.), Volume 2365 of Lecture Notes in Computer Science, pp. 1–16, Springer-Verlag, 2002. 5. E. Biham, O. Dunkelman, and N. Keller, Rectangle attacks on 49-round SHACAL-1, Proceedings of FSE’03, T. Johansson (ed.), Volume 2887 of Lecture Notes in Computer Science, pp. 22–35, Springer-Verlag, 2003. 6. E. Biham, O. Dunkelman, and N. Keller, Related-key boomerang and rectangle attacks, Advances in Cryptology — EUROCRYPT’05, R. Cramer (ed.), Volume 3494 of Lecture Notes in Computer Science, pp. 507–525, Springer-Verlag, 2005. 7. O. Dunkelman, Techniques for cryptanalysis of block ciphers, Ph.D dissertation of Technion, 2006. Available at http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr- info.cgi?2006/PHD/PHD-2006-02 8. O. Dunkelman, N. Keller, and J. Kim, Related-key rectangle attack on the full SHACAL-1, Proceedings of SAC’06, to appear in Lecture Notes in Computer Sci- ence, Springer-Verlag, 2006. 9. H. Handschuh, L. R. Knudsen, and M. J. Robshaw, Analysis of SHA-1 in encryption mode, Proceedings of CT-RSA’01, D. Naccache (ed.), Volume 2020 of Lecture Notes in Computer Science, pp. 70–83, Springer-Verlag, 2001. 10. H. Handschuh and D. Naccache, SHACAL, Proceedings of The First Open NESSIE Workshop, 2000. Available at https://www.cosic.esat.kuleuven.be/nessie/work- shop/submissions.html 11. H. Handschuh and D. Naccache, SHACAL, NESSIE, 2001. Available at https://www.cosic.esat.kuleuven.be/nessie/tweaks.html 12. S. Hong, J. Kim, S. Lee, and B. Preneel, Related-key rectangle attacks on re- duced versions of SHACAL-1 and AES-192, Proceedings of FSE’05, H. Gilbert and H. Handschuh (eds.), Volume 3557 of Lecture Notes in Computer Science, pp. 368–383, Springer-Verlag, 2005. 13. J. Kelsey, T. Kohno, and B. Schneier, Amplified boomerang attacks against reduced-round MARS and Serpent, Proceedings of FSE’00, B. Schneier (ed.), Vol- ume 1978 of Lecture Notes in Computer Science, pp. 75–93, Springer-Verlag, 2001 14. J. Kelsey, B. Schneier, and D. Wagner, Key-schedule cryptanalysis of IDEA, G- DES, GOST, SAFER, and Triple-DES, Advances in Cryptology — CRYPTO’96, N. Koblitz (ed.), Volume 1109 of Lecture Notes in Computer Science, pp. 237–251, Springer–Verlag, 1996. 15. J. Kim, G. Kim, S. Hong, S. Lee, and D. Hong, The related-key rectangle attack — application to SHACAL-1, Proceedings of ACISP’04, H. Wang, J. Pieprzyk, and V. Varadharajan (eds.), Volume 3108 of Lecture Notes in Computer Science, pp. 123–136, Springer-Verlag, 2004. 16. J. Kim, D. Moon, W. Lee, S. Hong, S. Lee, and S. Jung, Amplified boomerang attack against reduced-round SHACAL, Advances in Cryptology — ASI- ACRYPT’02, Y. Zheng (ed.), Volume 2501 of Lecture Notes in Computer Science, pp. 243–253, Springer-Verlag, 2002. 17. H. Lipmaa and S. Moriai, Efficient algorithms for computing differential properties of addition, Proceedings of FSE’01, M. Matsui (ed.), Volume 2355 of Lecture Notes in Computer Science, pp. 336–350, Springer-Verlag, 2001. 18. M. Matsui, Linear cryptanalysis method for DES cipher, Advances in Cryptology — EUROCRYPT’93, T. Helleseth (ed.), Volume 765 of Lecture Notes in Computer Science, pp. 386–397, Springer-Verlag, 1994. 19. NESSIE, https://www.cosic.esat.kuleuven.be/nessie/ 20. J. Nakahara Jr, The statistical evaluation of the NESSIE submission, 2001. Available at https://www.cosic.esat.kuleuven.ac.be/nessie/reports/phase1/kulwp3- 016.pdf 21. U.S. Department of Commerce, Secure Hash Standard FIPS 180-1, N.I.S.T., 1995. 22. U.S. Department of Commerce, Secure Hash Standard FIPS 180-2, N.I.S.T., 2002. 23. D. Wagner, The boomerang attack, Proceedings of FSE’99, L. Knudsen (ed.), Volume 1636 of Lecture Notes in Computer Science, pp. 156–170, Springer-Verlag, 1999.

A Differential Characteristics of SHACAL-1 Table 3. The two differentials in the Kim et al.’s 36-round amplified boomerang dis- tinguisher [16]

Round ∆A ∆B ∆C ∆D ∆E Prob. Round ∆A ∆B ∆C ∆D ∆E Prob. −4 −1 input 0 e22 e15 e10 e5 2 11 e1 0 0 0 e6 2 −3 −1 1 e5 0 e20 e15 e10 2 12 0 e1 0 0 0 2 −3 −1 2 0 e5 0 e20 e15 2 13 0 0 e31 0 0 2 −2 −1 3 e15 0 e3 0 e20 2 14 0 0 0 e31 0 2 −2 4 0 e15 0 e3 0 2 15 0 0 0 0 e31 1 −2 −1 5 0 0 e13 0 e3 2 16 e31 0 0 0 0 2 −2 −2 6 e3 0 0 e13 0 2 17 e4 e31 0 0 0 2 −2 −3 7 e8 e3 0 0 e13 2 18 e9 e4 e29 0 0 2 −2 −4 8 0 e8 e1 0 0 2 19 e14 e9 e2 e29 0 2 −2 −5 9 0 0 e6 e1 0 2 20 e19 e14 e7 e2 e29 2 −2 10 0 0 0 e6 e1 2 output e2,7,14,24,29 e19 e12 e7 e2 / −3 21 e1,5,8 e1,3,5 e3,13 e1,5,13,31 e6,10,13,31 2 29 0 0 e31 e31 0 1 −4 22 0 e1,5,8 e1,3,31 e3,13 e1,5,13,31 2 30 0 0 0 e31 e31 1 −4 23 e1,8 0 e3,6,31 e1,3,31 e3,13 2 31 0 0 0 0 e31 1 −4 −1 24 e1,3 e1,8 0 e3,6,31 e1,3,31 2 32 e31 0 0 0 0 2 −3 −1 25 0 e1,3 e6,31 0 e3,6,31 2 33 e4 e31 0 0 0 2 −2 −3 26 e1 0 e1,31 e6,31 0 2 34 e9,31 e4 e29 0 0 2 −1 −4 27 e1 e1 0 e1,31 e6,31 2 35 e14,29 e9,31 e2 e29 0 2 −1 28 0 e1 e31 0 e1,31 2 output e9,19,29,31 e14,29 e7,29 e2 e29 /

Table 4. A 24-round differential with probability 2−50 for Rounds 0 to 23

Round(i) ∆Ai ∆Bi ∆Ci ∆Di ∆Ei Prob. Round(i) ∆Ai ∆Bi ∆Ci ∆Di ∆Ei Prob. −2 −2 input e29 0 0 0 e2,7 2 13 0 e8 e1 0 0 2 −2 −2 1 e7 e29 0 0 0 2 14 0 0 e6 e1 0 2 −3 −2 2 e12 e7 e27 0 0 2 15 0 0 0 e6 e1 2 −4 −1 3 e17 e12 e5 e27 0 2 16 e1 0 0 0 e6 2 −4 −1 4 e22 e17 e10 e5 e27 2 17 0 e1 0 0 0 2 −4 −1 5 0 e22 e15 e10 e5 2 18 0 0 e31 0 0 2 −3 −1 6 e5 0 e20 e15 e10 2 19 0 0 0 e31 0 2 −3 7 0 e5 0 e20 e15 2 20 0 0 0 0 e31 1 −2 −1 8 e15 0 e3 0 e20 2 21 e31 0 0 0 0 2 −2 −1 9 0 e15 0 e3 0 2 22 e4 e31 0 0 0 2 −2 −3 10 0 0 e13 0 e3 2 23 e9,31 e4 e29 0 0 2 −2 11 e3 0 0 e13 0 2 output e14,29 e9,31 e2 e29 0 / −2 12 e8 e3 0 0 e13 2 Table 5. A 34-round differential with probability 2−148 for Rounds 0 to 33

Round(i) (∆Ai, ∆Bi, ∆Ci, ∆Di, ∆Ei) Prob. −2 0 (e29, 0, 0, 0, e2,7) 2 ...... −4 24 (e14,29, e9,31, e2, e29, 0) 2 −6 25 (e9,19,29,31, e14,29, e7,29, e2, e29) 2 −7 26 (e4,7,24,29, e9,19,29,31, e12,27, e7,29, e2) 2 −8 27 (e7,19,27,29,31, e4,7,24,29, e7,17,27,29, e12,27, e7,29) 2 −8 28 (e0,2,7,17,29, e7,19,27,29,31, e2,5,22,27, e7,17,27,29, e12,27) 2 −10 29 (e7,17,19,31, e0,2,7,17,29, e5,17,25,27,29, e2,5,22,27, e7,17,27,29) 2 −13 30 (e0,4,12,17,24,25,27,29, e7,17,19,31, e0,5,15,27,30, e5,17,25,27,29, e2,5,22,27) 2 −13 31 (e7,9,15,17,19,25,27,31, e0,4,12,17,24,25,27,29, e5,15,17,29, e0,5,15,27,30, e5,17,25,27,29) 2 −15 32 (e0,5,14,17,20,22,27,29, e7,9,15,17,19,25,27,31, e2,10,15,22,23,25,27,30, e5,15,17,29, 2 e0,5,15,27,30) −14 33 (e5,7,9,23,25,29, e0,5,14,17,20,22,27,29, e5,7,13,15,17,23,25,29, e2,10,15,22,23,25,27,30, 2 e5,15,17,29) output (e0,5,7,12,13,15,17,20,28,29, e5,7,9,23,25,29, e3,12,15,18,20,25,27,30, e5,7,13,15,17,23,25,29, / e2,10,15,22,23,25,27,30)

Table 6. A 40-round differential with probability 2−154 for Rounds 30 to 69

Round(i) (∆Ai, ∆Bi, ∆Ci, ∆Di, ∆Ei) Prob. −10 30 (e4,8,11,13,16, e3,8,11,13,31, e1,6,11,16,21,29,31, e1,4,8,11,13,16,21, e3,9,11,13,16,18,21,29,31) 2 −9 31 (e6,31, e4,8,11,13,16, e1,6,9,11,29, e1,6,11,16,21,29,31, e1,4,8,11,13,16,21) 2 −10 32 (e1,4,9,11,16,31, e6,31, e2,6,9,11,14, e1,6,9,11,29, e1,6,11,16,21,29,31) 2 −8 33 (e4,6,9,11, e1,4,9,11,16,31, e4,29, e2,6,9,11,14, e1,6,9,11,29) 2 −7 34 (e31, e4,6,9,11, e2,7,9,14,29,31, e4,29, e2,6,9,11,14) 2 −4 35 (e4,9,31, e31, e2,4,7,9, e2,7,9,14,29,31, e4,29) 2 −5 36 (e4,9, e4,9,31, e29, e2,4,7,9, e2,7,9,14,29,31) 2 −4 37 (0, e4,9, e2,7,29, e29, e2,4,7,9) 2 −1 38 (0, 0, e2,7, e2,7,29, e29) 2 −3 39 (0, 0, 0, e2,7, e2,7,29) 2 −2 40 (e29, 0, 0, 0, e2,7) 2 ...... −10 69 (e7,17,19,31, e0,2,7,17,29, e5,17,25,27,29, e2,5,22,27, e7,17,27,29) 2 output (e0,4,12,17,24,25,27,29, e7,17,19,31, e0,5,15,27,30, e5,17,25,27,29, e2,5,22,27) /